Cybersecurity is top of mind for CFOs. Nearly two-thirds of CFOs in a recent study said they are now taking on responsibility for operational risk management and mitigation—and elements of cybersecurity are a big part of that.
The 2015 Cost of Data Breach Study by IBM and the Ponemon Institute found that the typical total cost of a breach was around $3.8 million, an increase from $3.5 million the year before. Putting aside damage to brand and reputations—which can be substantial—the impact on customer trust, and in turn acquisition and retention as well as market value, all add up.
Cybersecurity is much more than securing access to applications and data, and proactively adapting to the ever-changing threat landscape. It’s also about enforcing strong controls for data integrity, protecting data from loss, and ensuring availability when the business needs it.
Finance leaders in the enterprise need to ask these questions not only about the applications they run internally, but also of their current and prospective cloud providers:
1. What is our organization’s current exposure to cyber threats?
2. How well are we prepared, and how well are our cloud providers prepared?
3. What is our overall risk tolerance, and are our cloud providers aligned with this?
4. Do we and our providers have processes in place to prevent, detect, contain, and respond?
5. Are our providers investing to reduce risk of data loss or downtime?
6. Do we and our providers have a thoroughly tested plan, so there is no delay in the event of an attack?
Cybersecurity & the Cloud
When cloud computing first entered mainstream technology over a decade ago, cybersecurity was often a top concern amongst CFOs and IT alike. Those concerns have waned over recent years, with around 80 percent of CFOs using the cloud in some form.
Cloud technology is now becoming the backbone of the new finance technology landscape.
The best run cloud providers locate applications and data in physically secure, redundant, and geographically distributed data centers. They employ dedicated trained security personnel, and adhere to strong policies, controls, and separation of duties as laid out by standards such as those outlined in SOC 2 and ISO 27001.
They encrypt data at rest and in transit using the latest technology, and ensure applications and infrastructure are always up to date. And they publish their availability and offer SLAs they can stand behind.
It’s a combination that’s often hard to cost effectively achieve with in-house systems and personnel running on-premise systems.
Education & Diligence Required
The role of cybersecurity is increasingly falling to finance leaders, with enterprise-wide operational risk management being added to their growing list of roles and responsibilities.
As a result, education is needed more than ever, because it’s important for finance executives to ask the right questions and feel comfortable getting into the detail about prospective cloud providers’ cybersecurity investments, policies, and procedures.
Clarity Around Compliance
With so many terms bandied around with compliance, it’s important to understand the meaning behind the acronyms, and ensure the certifications you’re asking for, or that your vendors are providing, give you the assurances you expect.
SSAE-16 SOC 1 Type 2
Addresses controls at a cloud provider relevant to the company’s internal control over financial reporting.
The SOC 1 Type 2 report addresses the design and operating effectiveness of a cloud provider’s controls as they pertain to specific Trust Services Principles.
This class of SSAE-16 report provides information to the auditor of an enterprise’s financial statements.
It describes the controls at their cloud provider that are relevant to the enterprise they are auditing’s internal control over financial reporting. It enables the enterprise’s auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement in the financial
statement that may be affected by the cloud provider’s own processing.
The report provides a description of the cloud provider’s controls, suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls.
A SOC 1 Type 2 report provides auditors, management of the company, and management of the cloud provider with a clear perspective that confirms appropriate controls are in place for managing an enterprise’s internal reporting.
SSAE-16 SOC 2 Type 2 / SOC 3
Report on the system controls at a cloud provider relevant to security, availability, processing integrity, confidentiality, or privacy.
A SOC 2 report provides management of a cloud provider, their customers, and other specified parties with information about controls at the cloud provider that may affect their customers’ data security, availability, processing integrity, confidentiality, or privacy.
A type 2 report includes a description of a test of controls around these areas, and the results of those tests. A SOC 3 report is for public use, and provides a system description and the auditor’s opinion.
Together, these reports create a clear perspective on how their system interacts with their customers, any sub-service organizations that they use, other parties involved, and their own internal controls and limitations.
ISO/IEC 27001:2013
A standard for securing company data covering people, processes, and IT systems by applying a risk management process.
Jointly published by the International Standardization Organization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27001:2013 is a globally recognized information security standard that provides organizations with requirements for an information security management system (ISMS).
The ISO/IEC family of standards defines how providers should manage the security of assets such as financial information, intellectual property, employee details, or entrusted information.
Cybersecurity Moves to the Fore
As CFOs assume greater responsibilities for operational risk management, it is critical to understand security, privacy, and compliance controls. But it doesn’t end here. It is equally important to enforce these controls to ensure data integrity and protect data from loss.
And more than ever, it’s essential to ask the right questions and identify the right answers. Download the full BlackLine whitepaper, Cybersecurity in the Cloud ERA, to learn more.